Geek asks and answers

Apache + Perl + NTLM / LDAP == Single signon?

We have a Perl application that runs under Apache on Solaris using CGI :: Application. Everything is working fine. We would like to access the USER_ID variable passed by IE browser and execute some database queries and LDAP queries.

I have looked through the Apache documentation and I cannot figure out how to do this. We do not have access to the Internet (this is an intranet) from Solaris servers, so we need to compile everything ourselves.

Does anyone have a checklist (or tutorial) of what Apache needs (modules / plugins) to achieve this and how to configure it?

+3
source share
2 answers

mod_ntlm mod_ldap apache, .

, mod_ntlm, ldap " " - ?

, , : http://sivel.net/2007/05/sso-apache-ad-1/

linux rpm, twiki solaris10 : http://twiki.org/cgi-bin/view/Codev/NtlmForSolaris10#How_to_build_your_own_mod_ntlm_b

0

NTLM Winbind

auth_ntlm_winbind_module (mod_auth_ntlm_winbind.so) . Samba winbind, .

Samba:

git clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git

NTLM :

<Directory /srv/http>
         Allow from all
         AuthName "NTLM Authentication thingy"
         NTLMAuth on
         NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
         NTLMBasicAuthoritative on
         AuthType NTLM
         require valid-user
         AllowOverride all
</Directory>

, :

LoadModule auth_ntlm_winbind_module /usr/lib/httpd/modules/mod_auth_ntlm_winbind.so

Windows REMOTE_USER:

#!/usr/bin/perl

use CGI;
my $query = new CGI;
# get the windows account from the header
my $windows_account = $query->remote_user();

, IE .

- .

LDAP

- authnz_ldap_module (mod_authnz_ldap.so). , . , . Single signon, .

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

:

<Directory /srv/http>
    AuthName "Authentication required"
    AuthType Basic
    AuthzLDAPAuthoritative off
    AuthBasicProvider ldap

    # "protocol://hostname:port/base?attribute?scope?filter" NONE
    # NONE indicates that an unsecure connection should be used for LDAP, i.e. port 389
    AuthLDAPURL "ldap://your.ldap.server.net:389/OU=the,OU=search,OU=node,DC=domain,DC=net?sAMAccountName?sub?(objectClass=*)" NONE


    # This is only needed if your LDAP server doesn't allow anonymous binds
    AuthLDAPBindDN "CN=AD Bind User,OU=the,OU=bind,OU=node,DC=domain,DC=net"
    AuthLDAPBindPassword super-secret

    Require valid-user
    AllowOverride all
</Directory>

.

+3

More articles:


All Articles